1. Technical Field
The present invention relates to source authentication in group communications, and more particularly, to a method by which a sender sending messages to multiple receivers signs the messages using symmetric cryptographic mechanisms and the messages can be verified by the receivers as coming from the purported sender.
2. Description of the Related Art
The following papers provide useful background information, for which they are incorporated herein by reference in their entirety, and are selectively referred to in the remainder of this disclosure by their accompanying reference numbers in triangular brackets. For example <1> refers to the 1997 paper by Krawczyk.    1. H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. IETF RFC 2104, February 1997.    2. N.I.S.T. Digital signature standard (dss), May 19, 1994.    3. P. R. Zimmermann. The official PGP user's guide. MIT Press, May 3, 1995.    4. R. Housley, W. Ford, W. Polk, and D. Solo. Internet X509 Public Key Infrastructure Certificate and CRL Profile. IETF Network Working Group RFC 2459, http://www.iett.org/rfc/rfc2459.bd, January 1999.    5. S. Gupta, and S. Chang. Performance analysis of Elliptic Curve Cryptography for SSL. In Proceedings of the ACM Wireless Internet Security Workshop (WiSe'02), Atlanta, USA, Sep. 28, 2002. ACM.    6. P. Prasithsangaree and P. Krishnamurthy. On a framework for energy-efficient security protocols in wireless networks. Elsevier Computer Communications, 27:1716-1729, 2004.    7. S. Seys and B. Preneel. Power consumption evaluation of efficient digital signature schemes for low power devices. In Proc. 2005 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (IEEE WiMOb 2005), volume 1, pages 79-86. IEEE, 2005.    8. W. Freeman and E. Miller. An experimental analysis of cryptographic overhead in performance-critical systems. In Proc. 7th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOT'99), pages 348-357, College Park, Md., USA, October 1999. IEEE.    9. M. Bohge and W. Trappe. TESLA certificates: an authentication tool for networks of compute-constrained devices. In Proc. of 6th international symposium on wireless personal multimedia communications (WPMC '03), Yokosuka, Kanagawa, Japan, October 2003.    10. A. Roy-Chowdhury and J. S. Baras. A certificate-based light-weight authentication algorithm for resource-constrained devices. Technical Report CSHCN TR 2005-4, Center for Satellite and Hybrid Communication Networks, University of Maryland College Park, 2005.    11. X. Ding, D. Mazzocchi, and G. Tsudik. Equipping smart devices with public key signatures. ACM Trans. Internet Technology, 7(1):3, 2007.    12. “Compaq iPAQ Pocket PC H3600 series,” http://h18002.www1.hp.com/ products/quickspecs/10632 div/10632 div.HTML#%QuickSpecs.    13. N. Potlapally, S. Ravi, A. Raghunathan, and N. Jha, “A study of the energy consumption characteristics of cryptographic algorithms and security protocols,” Mobile Computing, IEEE Transactions on, vol. 5, no. 2, pp. 128-143, February 2006.    14. A. Perrig, R. Canetti, D. Song, and J. D. Tygar. The TESLA broadcast authentication protocol. RSA Cryptobytes, Summer 2002.    15. M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In STOC '89: Proceedings of the twenty-first annual ACM symposium on Theory of computing, pages 33-43, New York, N.Y., USA, 1989. ACM.
Security is a necessary parameter in networks (such as wireless networks, hybrid wireless networks, etc.) if the communication between a pair of nodes, or a group of nodes, is to be protected from unauthorized access. In wireless networks, due to the open nature of the wireless channel, intruders can eavesdrop on the communication between other nodes if the messages are sent in the clear; they can inject fake messages into the network, purporting to come from other nodes, or attempt to modify or delete messages between other nodes. Therefore, strong security mechanisms to prevent such attacks are important, especially for scenarios like military operations where hybrid wireless networks can be of great use. In this context, a hybrid wireless network refers to a network architecture in which there is some centralized infrastructure, such as a satellite overlay, over large wireless networks. In such hybrid networks, the terrestrial wireless nodes are grouped into clusters, with each cluster having one or more “gateway” nodes with dual wireless and satellite connectivity, providing alternate high-bandwidth and robust forwarding paths through satellite links, in addition to the terrestrial wireless links.
Security of communication can be achieved using several different mechanisms. Encryption hides the messages in cipher text and thus prevents eavesdropping on the communication. In the process of authentication, each message is “stamped” with a unique “marker” of the originating node which ensures that messages are accepted from legitimate nodes only, and fake messages are discarded. Associated with authentication are message integrity protocols where each message is similarly stamped with a unique marker by the originating node so that any unauthorized modification in transit invalidates the marker and thus the modification can be easily detected.
For unicast communication, solutions for authentication and message integrity are trivial—the two communicating parties A and B share a secret exclusively between themselves and make use of this secret, or a key derived thereof, to “sign” the messages between themselves. The secret or key used can be based on symmetric cryptography that is fast, efficient, and does not consume significant computation or energy resources at the communicating nodes. The corresponding message signature is usually a Message Authentication Code, or MAC in short (for example, HMAC <1>), which is resource-efficient to compute and to verify, and limited in size.
The problem is more complicated for group communication. When multiple parties are taking part in a communication session, a shared secret between the parties is not a solution. For group communication, it is preferable that authentication be done based on asymmetric techniques where each node possesses a unique secret known to no other node, and makes use of that secret to authenticate itself, or the messages it generates. Public key cryptography allows such asymmetric authentication to take place. In public-key cryptography, each source uses its private key to sign messages it generates, creating a digital signature that is appended to the message <2>. The receivers can verify the signature using the corresponding public key of the node, which is known to everyone from the source's certificate. The primary requirement is that all users have access to a common third party node called the Certificate Authority (CA) that is universally trusted. The CA is responsible for binding a node's identity to its public key in the node's public-key certificate—for example, PGP <3> and X.509 <4>, which are the two most commonly used certificate formats. The certificate can be freely distributed to all nodes in a network, and the correctness of the certificate is verifiable by any node that has access to the CA.
FIG. 1 illustrates an example of a group communication scheme based on the public key infrastructure. Node A 101, Node B 102, and Node C 103 are nodes (exemplarily these nodes could be wireless nodes such as cell-phone units) which communicate with each other and there exists a central node 104, which is trusted by each of the nodes 101, 102, and 103. The central node acts as a certificate authority and issues each of the nodes 101, 102, and 103 their respective certificates which include among other things their respective identities and their public keys. Assume that A sends message X to B. Node A transmits to Node B message X, hash(X) signed with the private key of X, and the certificate for A. Node B receives the whole packet and retrieves hash′(X) using the public key of A obtained from the certificate for A. Next, Node B takes a hash of the message X and compares that to hash′(X). If they match, the message is authenticated and verified as coming from node A.
Public-key cryptography is a powerful tool that facilitates authentication, message integrity and also data encryption. However, it is computationally very expensive (both in CPU cycles and energy expenditure) to generate digital signatures for messages, and also to verify them <5,6,7,8>. The public and private keys are larger in size compared to symmetric keys, and the certificates also take up considerable storage space. In wireless networks where many of the nodes might have resource constraints, public-key cryptography can be a severe burden. For example, handheld devices have limited processor power, storage capacity and available energy. Performing digital signature generation and verification frequently can consume significant processor capacity and drain the battery quickly. Therefore in wireless networks, hybrid wireless networks, or in any network with resource constrained nodes, it is preferable to use authentication protocols that are based on symmetric cryptographic primitives—being efficient in terms of processing load, symmetric operations would expend less node energy. However, designing authentication protocols for group communication using symmetric cryptography is a significant challenge. The primary difficulty is how to create the asymmetry such that each participant has a unique secret with which to authenticate its messages, while allowing all the receivers the capability for validation. This is assuming that the security association between each source and the group of receivers is generated on-the-fly, and does not make use of pre-shared secrets between every pair of nodes, which is the trivial solution that does not scale well.
Therefore, it is an objective of the present disclosure to provide an asymmetric user authentication protocol for group communication, which would be especially useful where wireless mobile devices or devices where energy is a precious resource are used. User authentication/source authentication refers to the scheme by which a node proves to another node its identity, for example, node A claims to be node A and proves to node B that it is indeed node A. The techniques described in the present disclosure are based on a class of certificates called TESLA (Timed Efficient Stream Loss-tolerant Authentication Certificates) certificates. A prior art TESLA source/user authentication protocol was proposed in <14>. An authentication protocol using a TESLA certificate concept was originally proposed in <9>, and modifications and extensions to it were suggested in <10>. However, the prior art has certain problems which the provide motivation for the present disclosure.
In the TESLA certificate proposal described in <9>, the TESLA certificate algorithm allows a node to add authentication to packets it sends for a single period in time. The lifetime of the certificate is short. Therefore, a source node that transmits for multiple time intervals will need several TESLA certificates from the CA. If there are many sources that send data over long intervals, this can add up to a substantial overhead. The prior art algorithm focuses on point-to-point authentication between nodes of varying capabilities, for example, between a sensor node and its base station. It does not address authentication between peer nodes, or authentication in group communication. The algorithm also does not provide non-repudiation. Non-repudiation is a security term which means that a sender node cannot deny, at a later instant in time, that it had generated a message (in the past) that had been signed using its private key. Non-repudiation is an essential aspect of source authentication protocols for both unicast and group communication.